Peer administration on other port then MGMT

We have XGS4500 active-passive cluster and i stubled across a pretty annoying issue.

In the past (with XG450 and others) we always set the peer administration address to something that allowed us no monitor the auxilary device via our monitoring solution. Usually that was just an IP higher then the primary device. On the same interface and on the same subnet as the primary management IP.

On XGS4500 this does not seem to work anymore. The only interface that i am able to select in peer administration settings is "PortMGMT". We do not use PortMGMT as we manage our devices through the primary interfaces/VLANs. However, if i set peer administration to PortMGMT and use an IP from a subnet that is accessible as well through the primary interfaces, the routing collapse, as it seems to prefer routing through physically connected interfaces (even its PortMGMT) instead of the static routes set.

This is a complete mess in my opinion!

- Why can't i select other ports then PortMGMT anymore for peer administration?

- Why does PortMGMT participates in routing? If it is meant to act as out-of-band MGMT, then it definately should not have any impact on routing!



Added V19.5 MR3 TAG
[edited by: Erick Jan at 5:49 AM (GMT -8) on 29 Jan 2024]
  • Hello  ,

    Thank you for reaching out to the community, just a question have you assigned any non-administrative users to the management port's subnet ?
    Additionally, you can refer doc - How to configure management ports ?

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • Whats a "non-administrative user"? Unfortunately i can't find any information about that and it sound quite strange to "assign" a user to a subnet??

  • Hi FloRa,

    Few questions

    1. May I know the firmware version you are working on

    2. HA was working earlier with the Port A interface(any changes made and now not working ) it is new setup?

    3. Did you try with QuickHA mode and interactive mode and get the same mgmt port instead of Port A (LAN)?

    4. Please share the current physical connection setup with firewalls.

    5. Check HA logs

    Check logs:

    cat /log/msync.log | grep "ha:"

    cat /log/applog.log | grep "ha:"

    Quick link to setup HA : HighAvailablityStartupGuide

    Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 1. It's 19.5.3 MR-3-Build652

    2. HA is working fine. I just can't select anything else then PrtgMGMT for peer administration. It's not a new setup. I just did not had the need to access the auxiliary device independently until now.

    3.  I only do ionteractive mode, as QuickHA was a pain in previous versions. Never tried it again since v18 or something

    4.  PortF1 and PortF2 are grouped to a LAG which is connected to our TOR-Switches. Physical LAG has no IP. We're only running VLANs on the LAG. Port 3 is HA. PortMGMT has an IP from a range that usually is beeing accessed via a transit VLAN on the LAG.

    5. As said... HA is working fine. The problems are the following:

    - I can't select any other interface then PortMGMT as peer administration. Probably because we only habe VLAN interfaces?? If this is the case, then please document it!

    - PortMGMT is participating in routing, which should not be the case for a out-of-band management port. This is a design failure from sophos in my opinion. 

  • Hello FloRa,

    Reg. your comments, please find my inputs.

    - I can't select any other interface then PortMGMT as peer administration. Probably because we only habe VLAN interfaces?? If this is the case, then please document it!

    That could be the case in your setup. Only physical, bridge and LAG type of ports are supported for peer administration. If you have any spare data port which can be configured for peer administration, it would be advisable. Otherwise as an admin, PortMGMT seems appropriate to me. I will check with documentation team internally and see if it can be included.

    - PortMGMT is participating in routing, which should not be the case for a out-of-band management port. This is a design failure from sophos in my opinion.

    I would say it's flexibility given to customer whether they want to use management port for routing traffic to Internet or internal networks based on the setup. Imagine, admin is only accessing PortMGMT and also accessing Internet (WAN port Port2, for example) via that port. In general, I agree that end users might be connected via LAN/DMZ data ports other than PortMGMT.

    Regards,

    Sanket Shah

    Director, Software Development, Sophos Firewall

  • It makes sense to me that i am not able to select any other interface as peer administration since only "physical" ports are allowed. Thanks for this clarification. Eighter i has overseen this information in the documentation or it is not documented yet. 

    However, the MGMTPort thing does not makes much sense for me. If the PortMGMT exactly behaves like all the other ports, why is it called PortMGMT? It does not gives me more flexibility at all, compared to just use any other physical port for the same purpose. As long as there is no workaround to prevent a Port from creating a kernel route, there does not seem to be a way to assign a management IP belonging to a subnet that already is accessible through another interface. So i guess in best practice here would eigther be to assign the MGMT IP to the physical LAG instead of a VLAN interface, or to use a completely different MGMT subnet assigned to another physical port. 

  • Yes, you have to use different subnet for MGMT port and other data ports. MGMT port is routable interface as I mentioned above.

    Why is it called PortMGMT? - Because it's connected to host CPU (control/config plane) and not to network processor (NPU/data plane). Its main purpose is to manage the appliance via CLI/GUI.

    Regards,

    Sanket Shah

    Director, Software Development, Sophos Firewall